HPE Community
Operating System - HP-UX
1832190 Members
2715 Online
110038 Solutions
New Discussion

Virtual IPs

 
Johan Boije
New Member

‎02-05-2002 01:10 AM

‎02-05-2002 01:10 AM

Virtual IPs

I have several IPs bound to lan0 (that all belong to the same subnet) and one IP bound to lan1 (which belongs to another subnet).

I have apache bound to the IP on lan1 and it is acting as a webproxy.

How can I make the outgoing request go out through a specific virtual IP on lan0 and not throught the real IP? This can't be controled from within apache and I'm thus looking for a network configuration related solution.
0 Kudos
Reply
9 REPLIES 9
melvyn burnard
Honored Contributor

‎02-05-2002 02:38 AM

‎02-05-2002 02:38 AM

Re: Virtual IPs

to my knowledge, the only way to do this is to have the application bind() to the virtual ip address. I d o not know if Apache can do this
My house is the bank's, my money the wife's, But my opinions belong to me, not HP!
0 Kudos
Reply
Johan Boije
New Member

‎02-05-2002 02:54 AM

‎02-05-2002 02:54 AM

Re: Virtual IPs

Thank you for you commement!

This would ok, but the clients are on the other subnet and therefore I have to have apache listening to the address that is bound to the other NIC (lan1).

outernet_work-|lan0 lan1|-internal_network
VIPs apache

But I would like outgoing request to use a certain of the many virtual IPs on the lan0. Right now they use the correct NIC (lan0) as it is the one connected to the outer network but the not the desired virtual IP...

How is the default IP determined if there are several suitable as in this case?

0 Kudos
Reply
Krishna Prasad
Trusted Contributor

‎02-05-2002 06:32 AM

‎02-05-2002 06:32 AM

Re: Virtual IPs

Let me see if this is what you want?

You want inbound request to come in via lan1 but outbound to go out via lan0? I am not sure if the basic networking applications will do this.

If you can address these ports under different hostnames you can do this. For example we have an oracle application. We have two network cards. We name lan0 with IP in DNS/hosts as host1, we name lan1 with different IP in DNS/hosts as host2. We have all clients attach using lan0 (host1) but all hosts to hosts connections use lan1 (host2). However, we can not have client connects come in host1 and out host2.

Either way when you said you want several virtual IP's going out wouldn't you still need to go through the same card? It wouldn't really give much of a performance boost. If you are trying to use a virtual IP to mask your real IP from one side of the firewall I think cisco has devices that can use virtual IP within the DMZ to do this. If you want performance I recommend HP software called APA. This will allow you to configure sever ports into one IP address that can be full duplexed.

I hope I understood your question correctly and my response helps.

Ron
Positive Results requires Positive Thinking
0 Kudos
Reply
Johan Boije
New Member

‎02-05-2002 07:07 AM

‎02-05-2002 07:07 AM

Re: Virtual IPs

Thank you Ron for you comments!

I might need to try to define the situation more carefully. The reason for this fiddleing is that we'd like to separate the web proxy trafic from other trafic so we could set up some clever firewall rules...

So the host has two NICs: it is connected to the external network (internet) through lan0 and to the internal network (where the users are) through lan1. I.e. both NICs are connected to separate networks.

There is a apache proxy listening on the IP that is bound to lan1. As it recives a request from a client browser it will, if needed, fetch the html page from the internet through lan0. Thus the proxy uses the lan0 interface at times even if it listening on the IP bound to lan1. (this was what I ment by outbound requests).

This is archived through normal lan and route configurations in /etc/rc.config.d/network.

The real question is if it is possible to make one of the virtual IPs on lan0 as the "default gateway device"?

lan0 some-ip subnetmask-1 gateway-1
lan0:1 other-ip-1 subnetmask-1 gateway-1
lan0:2 other-ip-2 subnetmask-1 gateway-1
lan0:3 other-ip-3 subnetmask-1 gateway-1

I would like traffic to choose "other-ip-2" per default instead of the "some-ip".

(The virtual IPs are there for different reasons: they all, but this one, have services connected to them listening.)

What controls which IP is used when there are several virtual IPs that have the same settings? (see the simplified table above)

Is it the order of interface activation or is it the non-virtual address always?

Another example so we don't get to tangled up with the web server itself: Let's say I telnet out of the box, it would look like I would telnet out from "some-ip" and not "other-ip-2". I would like to be able to control this behaviour.
0 Kudos
Reply
Pal Szabo_1
Valued Contributor

‎02-05-2002 07:39 AM

‎02-05-2002 07:39 AM

Re: Virtual IPs

Hi Johan!

The outgoing IP address is controlled trough the routing table.
If you want to setup
a specific ip is shown in the outgoing packet, you have
to do two things:

1.You must set up an virtual interface
2.You must set up a route to use this specific interface.

I try to explain it with an example.My routing table is a following:

# netstat -rn
# netstat -rn
Routing tables
Dest/Netmask Gateway Flags Refs Use Interface Pmtu
10.1.2.3 10.1.2.3 UH 0 0 lan0:1 4136
127.0.0.1 127.0.0.1 UH 0 75148 lo0 4136
192.168.103.2 192.168.103.2 UH 0 364788 lan0 4136
192.168.103.0 192.168.103.2 U 3 0 lan0 1500
10.0.0.0 10.1.2.3 U 3 0 lan0:1 1500
127.0.0.0 127.0.0.1 U 0 0 lo0 4136
default 192.168.103.1 UG 0 0 lan0 1500

I configure an virtual interface:
# ifconfig lan0:1 10.1.2.3

# netstat -rn
# netstat -rn
Routing tables
Dest/Netmask Gateway Flags Refs Use Interface Pmtu
10.1.2.3 10.1.2.3 UH 0 0 lan0:1 4136
127.0.0.1 127.0.0.1 UH 0 75148 lo0 4136
192.168.103.2 192.168.103.2 UH 0 364788 lan0 4136
192.168.103.0 192.168.103.2 U 3 0 lan0 1500
10.0.0.0 10.1.2.3 U 3 0 lan0:1 1500
127.0.0.0 127.0.0.1 U 0 0 lo0 4136
default 192.168.103.1 UG 0 0 lan0 1500

So,i want to set up, to we use this IP address for the
host: 20.3.4.5

# route add host 20.3.4.5 10.1.2.3

# netstat -rn
Routing tables
Dest/Netmask Gateway Flags Refs Use Interface Pmtu
10.1.2.3 10.1.2.3 UH 0 0 lan0:1 4136
127.0.0.1 127.0.0.1 UH 0 75148 lo0 4136
192.168.103.2 192.168.103.2 UH 0 364898 lan0 4136
20.3.4.5 10.1.2.3 UH 0 0 lan0:1 1500
192.168.103.0 192.168.103.2 U 3 0 lan0 1500
10.0.0.0 10.1.2.3 U 3 0 lan0:1 1500
127.0.0.0 127.0.0.1 U 0 0 lo0 4136
default 192.168.103.1 UG 0 0 lan0 1500

After that, every request going through lan0:1 interface, with outgoing IP address (10.1.2.3)
0 Kudos
Reply
Mark van Hassel
Respected Contributor

‎02-05-2002 08:01 AM

‎02-05-2002 08:01 AM

Re: Virtual IPs

Hi,

You cannot control over which IP the the sysem accesses the gateway. It does not matter really since you have several IP adresses on the same subnet on one interface (all traffic goes over the same subnet and Lan inerface anyway).

If you say that lan1 is connected to the local network and lan0 to the internet, how is it possible that an page from the internet is fetched via lan0 (which is not connected to the internet) ?

If lan0 is connected to the outside world, just define a default gateway on that subnet.

You can even define two default gateways (just add them to /etc/rc.config.d/netconf), however which one will be the primary is not definable.

But again, the default gateway is defined on the subnet not on the IP address.

Hope this helps,

Mark
The surest sign that life exists elsewhere in the universe is that none of it has tried to contact us
0 Kudos
Reply
Xavier Gutierrez
Frequent Advisor

‎02-06-2002 02:00 AM

‎02-06-2002 02:00 AM

Re: Virtual IPs

Hi all,

(In response to Mark van Hassel)

Try what Pal Szabo posted just above you and you'll realize that routes can be forced to go through specific IP addresses (what would be the interest of virtual IPAs if you couldn't)

Regards
Live fast, die young!
0 Kudos
Reply
Mark van Hassel
Respected Contributor

‎02-06-2002 02:19 AM

‎02-06-2002 02:19 AM

Re: Virtual IPs

Hi,

I believe that a setup like that is only possible when the system is connected to a hub and not to a switch. I think that its only possible to define 1 vlan per switch port and that therefor the virtual IP (lan0:1) should be on the same subnet as the actual IP (lan0). This would mean that you can add an virtual IPA from a different subnet to that interface, but there will be no traffic past the switch.
The surest sign that life exists elsewhere in the universe is that none of it has tried to contact us
0 Kudos
Reply
Ron Kinner
Honored Contributor

‎02-06-2002 07:37 AM

‎02-06-2002 07:37 AM

Re: Virtual IPs

Johan,

I have been reading this thread trying to understand what is wanted. Am I correct in believing that what you are looking for is a way of controlling the source address of the packet being sent out. For some reason you want replies to come back to a particular address, either because the particular address has special filters or services or because the other end doesn't know how to get back to any other addresses or would have to detour through a router to do it. Or perhaps your router is queuing/routing based on source address?

On a Cisco router with secondary ip addresses all packets leave the interface with the primary ip address as the source. It doesn't matter to which destination subnet they are going. I'm not sure how HP does it but I would guess that the first address you assign to a NIC would be the equivalent of the Cisco primary address and any additional addresses would be secondary and not used as source addresses. I expect that if this is the case you will need to reinstall the NIC card and assign the address you want as the source to be the first one you enter.

Then again it may just choose the lowest IP address.

Mark,

Remember than VLANs are layer 2 and do not know anything about IP except possibly a management address. You can have multiple subnets in a VLAN. True. Most people don't but you can.

You can also have multiple VLANs on a port but then the port has to be configured as a trunk and the box on the other end has to understand VLANs and IEEE 802.1Q tagging. If the HP understood this AND is talking via a trunk link to a VLAN capable switch which uses IEEE 802.1Q tagging then I expect the problem would already have been solved.

I see from the docs.hp.com site that 11.i does do VLANs and 802.1Q tagging. Johan. you might want to look into that if your switch supports it.

Ron

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.